Summary: | <dev-python/bleach-3.1.4: vulnerable to ReDoS | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sebastian Pipping <sping> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | python |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/mozilla/bleach/blob/2df82b5e61af5f597bb479396853f020ab15134d/CHANGES#L7-L22 | ||
See Also: |
https://bugs.gentoo.org/show_bug.cgi?id=714596 https://bugs.gentoo.org/show_bug.cgi?id=710148 |
||
Whiteboard: | B3 [noglsa] | ||
Package list: |
dev-python/bleach-3.1.4
|
Runtime testing required: | --- |
Bug Depends on: | 710148 | ||
Bug Blocks: |
Description
Sebastian Pipping
2020-03-27 15:24:42 UTC
Thanks for chasing it upstream. I guess let's proceed like normal -- if you like, some ewarn could be added for a bit when people upgrade rather than a fresh install. So, are you ready for stabilisation (you may ofc call yourself too)? (In reply to Sam James (sam_c) (security padawan) from comment #1) > So, are you ready for stabilisation (you may ofc call yourself too)? There are known failing tests for all version of bleach (bug #710148) and we're stabilizing bleach 3.1.3 in bug #714596 right now. I don't want to advise against making 3.1.4 stable but I'm at least reluctant to advise for it. (In reply to Sebastian Pipping from comment #2) > (In reply to Sam James (sam_c) (security padawan) from comment #1) > > So, are you ready for stabilisation (you may ofc call yourself too)? > > There are known failing tests for all version of bleach (bug #710148) and > we're stabilizing bleach 3.1.3 in bug #714596 right now. I don't want to > advise against making 3.1.4 stable but I'm at least reluctant to advise for > it. Let's wait until Python 3.7.7 is stable (bug 715124). (In reply to Sam James (sam_c) (security padawan) from comment #3) > (In reply to Sebastian Pipping from comment #2) > > (In reply to Sam James (sam_c) (security padawan) from comment #1) > > > So, are you ready for stabilisation (you may ofc call yourself too)? > > > > There are known failing tests for all version of bleach (bug #710148) and > > we're stabilizing bleach 3.1.3 in bug #714596 right now. I don't want to > > advise against making 3.1.4 stable but I'm at least reluctant to advise for > > it. > > Let's wait until Python 3.7.7 is stable (bug 715124). Actually, on second thought: this is an issue which will affect users of bleach too on buggy Python versions. It's unrelated to the stabilisation of a newer bleach, right? The test failure bug has now been closed because it was due to the Python version. Are we alright to stabilise now, given it was independent of bleach? Thanks! (In reply to Sam James (sam_c) (security padawan) from comment #5) > The test failure bug has now been closed because it was due to the Python > version. > > Are we alright to stabilise now, given it was independent of bleach? Thanks! Given https://bugs.gentoo.org/714596#h4 and the fact that we still have 3.1.3 around I think it's fair to continue. Adding arches now… arm64 stable; amd64 arm ia64 ppc ppc64 x86 hppa s390 sparc ALLARCHES stable Cleanup done. GLSA vote: No. |